🧐Active Information Gathering

DNS (Domain Name System)

DNS (Domain Name System) is a fundamental internet protocol that translates human-readable domain names (e.g., example.com) into numerical IP addresses (e.g., 192.0.2.1). It enables users to access websites and services by converting user-friendly domain names into machine-readable IP addresses, facilitating communication between devices on the internet. DNS plays a crucial role in ensuring efficient and reliable internet connectivity, making it possible for users to access online resources using familiar domain names instead of memorizing complex IP addresses.

A DNS server is a crucial component of the Domain Name System (DNS), responsible for translating human-readable domain names into their corresponding IP addresses. When users request a website or service, the DNS server resolves the domain name to the correct IP, facilitating communication between devices on the internet. DNS servers can be configured as authoritative, handling specific domains, or as recursive, helping clients find IP addresses for any domain they query.

Examples of public DNS Servers:-

  1. Google Public DNS:

    • IPv4: 8.8.8.8, 8.8.4.4

    • IPv6: 2001:4860:4860::8888, 2001:4860:4860::8844

  2. Cloudflare DNS:

    • IPv4: 1.1.1.1, 1.0.0.1

    • IPv6: 2606:4700:4700::1111, 2606:4700:4700::1001

  3. OpenDNS (Cisco Umbrella):

    • IPv4: 208.67.222.222, 208.67.220.220

    • IPv6: 2620:119:35::35, 2620:119:53::53

DNS Zone Transfers

DNS zone transfers are a mechanism used by secondary DNS servers to synchronize their data with a primary DNS server. During a zone transfer, the primary server sends a copy of the DNS zone's records to the secondary server, ensuring consistent and up-to-date information across multiple servers. However, improper zone transfer configurations can lead to security vulnerabilities, making it essential to set appropriate access controls.

Reference:

DNS Reconnaissance

DNS reconnaissance is the process of gathering information about a domain's DNS infrastructure to identify potential targets and vulnerabilities. It involves querying DNS records to map the network and understand its structure.

  • Dnsenum is a command-line tool used for gathering information about a domain's DNS records. It also allows you to perform DNS Zone transfers for misconfigured servers using this tool.

  • dig command is a versatile DNS (Domain Name System) tool used to perform DNS queries and retrieve information about DNS records for a given domain. You could also perform DNS Zone transfers for misconfigured servers using this tool.

  • Fierce is a DNS reconnaissance tool used to discover and enumerate DNS information for a target domain. It attempts zone transfers and gathers DNS information from various DNS servers.

  • dnsrecon is a DNS enumeration tool used for performing reconnaissance on DNS records. It helps identify and gather detailed information about DNS infrastructure, including records like A, AAAA, MX, and NS.

Host Discovery

Nmap is a powerful network scanning tool used to discover hosts and services on a computer network. It allows you to specify a target IP address or hostname and scan a range of ports to determine which ones are open and what services are running on those ports.

  • -sn flag in nmap initiates a ping scan to discover live hosts on the network by sending ICMP Echo Requests and listening for ICMP Echo Replies, without performing a full port scan.

Netdiscover is a network scanning tool used to discover active hosts on a network by sending ARP requests and listening for responses, providing a quick way to find live hosts within a specified IP range.

Port Scanning

Nmap Flag’s for Port Scanning:

  • -Pn flag in nmap disables host discovery and assumes the target host(s) are online, bypassing ICMP ping probes and allowing direct scanning of specified ports and services.

  • -p- flag in nmap initiates a full port scan, probing all 65535 TCP ports on the target host(s) to identify open ports and services.

    • -p 80 : On Port to be scanned.

    • -p 80, 445, 21 : Multiple Ports to be scanned

    • -p22-80808 : Specify range of Ports to be scanned

  • -F flag in nmap initiates a Fast Scan by probing the top 100 most common TCP ports on the target host(s) to quickly identify active services.

  • -sU flag in nmap initiates a UDP scan to detect open UDP ports on the target host(s), helping to identify potential services running on those ports.

  • -sV flag in nmap enables version detection, allowing it to determine the versions of services running on the open ports discovered during the scan.

  • -O flag in nmap enables operating system detection, allowing it to make educated guesses about the underlying operating system running on the target host(s) based on network fingerprints and responses.

  • -sC flag in nmap initiates a default script scan, running a set of pre-defined scripts to identify vulnerabilities and gather information on the target host(s) after the port scan.

  • -A flag in nmap enables aggressive scanning, combining OS detection, version detection, script scanning, and traceroute to comprehensively gather information about the target host(s).

  • -T4 option in nmap sets the timing template to a reasonably fast scan speed, balancing scan time with the chances of detection by intrusion detection/prevention systems or firewalls.

  • -oN is used for saving scan results in a human-readable format, while -oX is used for saving results in a structured XML format for further processing with other tools or scripts.

Hacker's Mantra:Privacy should not be a luxury good. - Sundar Pichai

PreviousPassive Information GatheringNextFootprinting & Scanning

Last updated